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Two Perth IT students who conducted a "research project’ into SmartRiders have been found 
guilty of fraud after hacking into the Transperth-issued cards to roll-back charges and gain 
what they claim was $18 in free travel 


Second-year computer science student Jack Carruthers and another Murdoch University 
student were members of a university club called 'Hack the Planet. 


Jack Carruthers is a member of a university club called 'H the Planet! 

Carruthers said he felt "pressured and desperate’ to deliver on a project after the university 
promised a stall at the institution's open day - on the condition the club had "something 
interesting to show.” 


But they found themselves in hot water when authorities found Carruthers had defrauded the 
Public Transport Authority out of $15, with his co-convicted scoring $3 in free rides. 
Transperth, however, says Carruthers’ figure 
was $109. 


‘The saga started in 2014, when Carruthers and 
friends bought technology online that could 
read information on day-to-day cards. 


He said they had carefully chosen what they 
used it for. 


“We didn't want to touch bank cards because 
that seemed like a particularly dangerous 
thing to do. The university cards didn't have 
anything on them, then we found that we 
could read the SmartRider cards," he 
explained. 


Carruthers said he felt pressured and desperate’ to 
deliver on a project 


“It was interesting because it is very appealing topic...everyone in Perth has a SmartRider card. 
*So we met once or twice a week saving copies of our card and using a process called reverse 
engineering, cross referencing what we knew about the bus trips and train trips with the data 
that changed on the card. 


“We figured out various parts of the card we could read back on the computer.” 


They had originally planned to cross-reference the data to show they could use the cards to tell 
people what trips they had taken on Google Maps, but struggled to figure out the finer details to 
deliver on that project. 


In July 2015, as the open day loomed, Carruthers said he and his co-offender discovered a flaw 
in the SmartRider system that allowed them to roll-back charges on a card to enable free travel. 


“What we had [on Google Maps] wasn't good enough. It wasn't exposing the parts we wanted to 
find and as it was getting closer to open day I was getting a bit more desperate and a bit less 

cautious, and so I decided that I wanted to revert the card back to the state it was purchased in’, 
he said. 


“But in my head I didn't really realise or give much thought to the fact if you edit the card there 
might be some legal issue with that.” 


The move got the attention of the Public Transport Authority, which noticed the hack and 
elected to pursue charges. 


Carruthers pleaded not guilty in court and said he believed the PTA wanted to make an example 
of him. 


PTA spokesman David Hynes, said Transperth staff picked up Carruther's unusual transactions 
within hours of the first occurrence. 


"We investigated these transactions further, developed a brief of evidence, and once we were 
satisfied that an offence may have been committed, we reported our findings to police,” he said. 


“Police subsequently charged two people who were found guilty of fraud offences in the Perth 
Magistrates Court. The PTA understands the second person charged is appealing their 
sentence. 


“During the trial, it was alleged those involved adjusted the internal memory of their own 
SmartRider cards to gain free travel.” 


Ina statement, Murdoch University said it was aware of the charges against its students but 
said the activity was carried out independently and was not part of a university class or course. 


“All students are encouraged to understand and learn about technology in and out of class,” the 
statement read. 


"They are however, never encouraged to engage in any illegal activities. Topics of ethics and its 
relation to computer security are learning objectives in our course. 


“Had the students advised staff that they planned to test out their concepts at a train station 
then they would have been counselled against doing so.” 


‘Mr Hynes said the student's activities did not hack into the SmartRider database, which was 
never compromised. 


“The details of all SmartRider holders remain confidential,” he said. 
“Transperth services are largely funded by, and for the benefit of, WA taxpayers. 


“Any attempt to gain free travel, particularly when it involves a deliberate effort to repeatedly 
circumvent the SmartRider system, is an offence, and will be treated as such.” 
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